* Ron Johnson:
> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>
> What are people's thoughts on this?
HTTPS doesn't help against non-trusted mirrors.
The difficult question is how to tell an APT source which is not updated
regularly from an APT source that has been rolled back in a replay
attack.
Apart from that, this is clearly a PR stunt. Next, we might see someone
who tries to get into the project, with the intent to upload Trojanized
packages--all in the name of academic research.